LinkNYC kiosks have become a familiar eyesore to New Yorkers. Over 1,600 of these towering, nine-and-a-half-foot monoliths — their double-sided screens festooned with ads and fun facts — have been installed across the city since early 2016. Mayor Bill de Blasio has celebrated their ability to provide “the fastest and largest municipal Wi-Fi network in the world” as “a critical step toward a more equal, open, and connected city for every New Yorker, in every borough.” Anyone can use the kiosks’ Android tablets to search for directions and services; they are also equipped with charging stations, 911 buttons, and phones for free domestic calls.
But even as the kiosks have provided important services to connect New Yorkers, they may also represent a troubling expansion of the city’s surveillance network, potentially connecting every borough to a new level of invasive monitoring. Each kiosk has three cameras, 30 sensors, and heightened sight lines for viewing above crowds.
Since plans for LinkNYC were first unveiled, journalists, residents, and civil liberties experts have raised concerns that the internet kiosks might be storing sensitive data about its users and possibly tracking their movements. For the last two years, the American Civil Liberties Union, Electronic Frontier Foundation, and a small but vocal group of activists — including ReThink LinkNYC, a grassroots anti-surveillance group, and the anonymous Stop LinkNYC coalition — have highlighted the kiosk’s potential to track locations, collect personal information, and fuel mass surveillance.
Now an undergraduate researcher has discovered indications in LinkNYC code — accidentally made public on the internet — that LinkNYC may be actively planning to track users’ locations.
You’re the Product
Plans to replace the city’s payphone booth network with Wi-Fi-enabled kiosks were first announced by de Blasio in 2014. Less than a year later, the city awarded a contract to a chameleon-like consortium of private companies known as CityBridge. It was an attractive deal: LinkNYC kiosks, at no cost to the city, would provide free internet coverage to anyone walking by. CityBridge, in turn, would be responsible for the installation, ownership, and construction of the devices, with plans to earn back its expenses through advertising. The twin 55-inch displays will eventually carry targeted ads derived from the information collected about kiosk users.
These terms raised alarms among internet researchers and privacy experts, who were quick to point out that nothing in life is truly free. “As we know,” Benjamin Dean, a technology policy analyst, told attendees at a New York hacking conference in 2016, “When you’re not paying, you’re not the customer — you’re the product.”
The key player in CityBridge is known as Intersection, and one of Intersection’s largest investors is Sidewalk Labs, with whom it also shares the same offices and staff. Sidewalk Labs CEO Daniel Doctoroff is the chair of Intersection’s board. Sidewalk Labs is owned by Google’s holding company, Alphabet Inc. In other words, the plan to blanket New York City with 7,500 camera-equipped obelisks has been largely underwritten by the company formerly known as Google — a corporation whose business model depends on selling your personal information to advertisers. As Doctoroff, who was also the city’s former deputy mayor of economic development, has said of the kiosks: “By having access to the browsing activity of people using the Wi-Fi — all anonymized and aggregated — we can actually then target ads to people in proximity and then obviously over time, track them through lots of different things, like beacons and location services, as well as their browsing activity. So in effect, what we’re doing is replicating the digital experience in physical space.”
In March 2016, the New York Civil Liberties Union raised multiple concerns with the mayor’s office about LinkNYC’s vast and indefinite data retention and the possibilities for unwarranted NYPD surveillance. The NYCLU asked whether environmental sensors and cameras would be hooked up to NYPD systems, including the Domain Awareness System (built by Microsoft). LinkNYC has since updated its policy to state that it will take reasonable efforts to notify users if their information is being shared with law enforcement.
In May of this year, Charles Meyers, an undergraduate at New York City College of Technology, came across folders in LinkNYC’s public library on GitHub, a platform for managing files and software, that appear to raise further questions about location tracking and the platform’s protection of its users’ data. Meyers made copies of the codebases in question — “LinkNYC Mobile Observation” and “RxLocation” — and shared both folders with The Intercept.
LinkNYC disputes these speculations. David Mitchell, Intersection’s chief technology officer, told the Intercept that the code was never intended to be released and was part of a longer-term research and development process. “In this instance,” he explained over email, “Intersection was prototyping and testing some ideas internally, using employee data only, and mistakenly made source code public on Github. This code is not in use on the LinkNYC network.” An Intersection spokesperson added that LinkNYC does not collect users’ clickstream data or browsing history, and that it has not used the “RxLocation” codebase to collect user data. LinkNYC did not respond to repeated questions about the function or purpose of the code.
The Intercept asked four technologists, including a computer forensics investigator and an expert on Wi-Fi location tracking, to independently review the code. Each confirmed that the code could execute commands as Meyers had described, but they emphasized that it was not possible to determine the purpose of the code and whether it was actually running on any kiosks or devices based on the information given. They concluded that it was unlikely that the code was currently in use, as its unfinished security features pointed to the fact that it appeared to be in progress, possibly for a mobile product. “We don’t know why it exists, but the fact that it exists is creepy,” explained Surya Mattu, a research scientist and artist. “There’s no way properly to interrogate this further as a third party.”
A few hours after The Intercept contacted LinkNYC for comment, the company demanded that Github remove Meyer’s copy of its code due to copyright violations.
Connecting — and Controlling — Communities
As LinkNYC expands across the globe — Intersection has unveiled plans for kiosks in Philadelphia, Toronto, and the U.K. — so too does the scope of the concerns surrounding it. Shahid Buttar, the EFF’s director of grassroots advocacy, has warned of the possibility of mission creep — that is, the expansion of LinkNYC’s uses beyond its stated purpose to provide free Wi-Fi. “There’s no reason to presume that a current statement of policy will constrain the consortium of the future,” Buttar said.
This distinction, privacy experts say, ignores the fact that device identifiers — even when anonymized — provide more than enough information to tell advertisers, law enforcement, or malefactors who we are, since most phones and computers are used by the individuals who own them. Knowing that a device has been in multiple locations, along with the history of the Wi-Fi networks it has visited, can provide enough information for someone to find out where individuals live, work, commute, shop, and so on. A recent Associated Press investigation found that many Google services for Android devices and iPhones were storing location data even if when users had turned on a privacy setting to prevent Google from doing so.
The NYCLU and EFF stated that the ambiguity surrounding Meyer’s discovery of the code underscores the need for community-driven initiatives to protect the privacy and civil liberties of users. As EFF has noted, there are no means for New Yorkers to participate in decisions about how data from LinkNYC kiosks will be used, with whom they will be shared, for how long they will be retained, or whether the parameters under which they are initially collected might expand in the future. In response to Meyer’s findings, ReThink LinkNYC is calling for third-party oversight to confirm that the company’s software does what it says it does.
In a follow-up email to The Intercept, Saini explained that city’s audits will be “triggered when DoITT feels that an investigation of specific franchisee practices is necessary.” At present there are no regular audits of the CityBridge agreement to determine whether LinkNYC is violating users’ privacy.
“We don’t know if it’s being held to its standards because there is so much opacity and not enough transparency surrounding the system,” explained Buttar. “There needs to be some designated processes with public accountability and participation before the kiosk system and private organizations that constitute the consortium can propose changes unilaterally on millions of users.”
Correction: September 18, 2018
Update: September 10, 2018
Charles Meyers filed a counter notice with Github, challenging LinkNYC’s takedown demand, and he has made the code he found available again here.